GDPR, data protection officer | Do organizations have to appoint a Data Protection Officer (DPO)? Answer - Not necessarily!
A “Data Protection Officer” (DPO) was always necessary for large enterprise organizations processing personal data. However, for the first time, the appointment of a DPO will be mandatory under the General Data Protection Regulation (GDPR), regardless of company size or whether they are processing personal data in their capacity as a controller or processor. But, before you hire a DPO – STOP and check with the Natuvion team first before you hire unnecessarily.
Which US companies are required to appoint a DPO?
Under the GDPR (Article 37), there are just three scenarios where the appointment of a DPO by a controller or processor is mandatory:
The processing is carried out by a public authority;
The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
The core activities of the controller or processor consist of processing on a large scale of sensitive data (Article 9) or data relating to criminal convictions / offences (Article 10).
Until recently, exactly what the terms highlighted in bold above meant has been unclear. However, ‘Guidelines on Data Protection Officers’ published by the Article 29 Working Party (“WP29”) on December 16, 2016, has added the detail that we (you and Natuvion) need to comply with Articles 37, 38, and 39 of the GDPR.
5 Skills a DPO requires;
Experience assessing risk and best practice mitigation
Legal expertise, knowledge of EU, state and country jurisdiction laws
Ability to effectively communication with all levels in a business
Project management skills with leadership exposure
Self starter with the ability to train others for example in the DSR process (see Natuvion’s DSR process app for more information)
4 Tasks a DPO is responsible for;
Work closely with regulators to ensure compliance
Train staff on proper data handling practices
Keep up with changes in law and technology
Build, implement and manage privacy programs